HAProxy 502 bad gateway with Cloudflare Proxy
-
I now tried some other things:
- Using the cloudflare origin certificate on the haproxy frontend and as webConfigurator certificate -> did not change anything.
- Setting the SSL/TLS encryption mode in cloudflare to flexible intsead of full or full (strict) -> did also not fix it. Without the cloudflare proxy, the full (strict) mode works fine.
These where some things I saw as suggestion to fix the problem. Sadly without success.
-
@klaussemmler Have you found an solution of this issue? I had the same setup and the same problem as you had.
-
@jycai I have installed a Mikrotik CRS305 as Switch in my Network and at least the odd kde connect behaviour is fixed.
But the cloudflare issue still remains.
-
I now tried to setup up everything with squid reverse proxy instead of haproxy but the issue with cloudflare proxy still remains. So it should not be a problem with haproxy itself.
-
It seems like I have found the answer!
Cloudflare DNS Proxy only works with http/https traffic on free tier. If non http/https traffic is used, for example when using a minecraft server, the DNS Proxy does not work.
This is where I got the information from:
https://community.cloudflare.com/t/cloudflare-minecraft-proxy/167417
-
@klaussemmler Some people mention pfBlockerNG is blocking traffic from Cloudflare proxied server, but my website still not work after I completely removed pfBlockerNG and reboot pfSense .
-
@jycai Have you whitelisted the cloudflare ips in your pfSense? You can actually do this automated with pfBlockerng.
The ipv4 ips can be found here: https://www.cloudflare.com/ips-v4
The ipv6 ips can be found here: https://www.cloudflare.com/ips-v6My pfBlockerng config for ipv4 looks like this (The alias at Custom DST Port contains port 80 and 443):
-
@klaussemmler Thank you I added the Cloudlfare IPs whitelist in pfBlockerNG as you suggest, however the Clourflare proxied still not working with Haproxy SSL offload on my nextcloud website. I don't get the error as 502, but missing half page info. It is working when Cloudlfare proxied is off.
I am runing version 2.6 and will try 2.52 and 2.4 later on to see if it makes a difference.
-
@jycai Okay, interesting. Another thing that could cause problems with cloudflare is the encryption mode in the SSL/TLS menu. Try the modes flexible, full and full (strict) and see, if this fixes your problem.
-
@klaussemmler
Flexible mode - no connection at all
Full - Load half page
Full(strict) - Error 526
V2.6, V2.52 and V2.4 with Acme or Cloudflare origin server certificate - all the same result.
-
@jycai I am kinda out of ideas. But you can try to toggle the options in SSL/TLS -> Edge Cetificates.
And are you sure you use the correct certificates for all servers?
-
@jycai with free cf choose flexible mode.
Check your pfsense firewall.
Sometimes problem at frontend and backend. I remove and recreate. It’s work